Spyware, Viruses, & Security forum

CNET's spyware, viruses, & security forum is the best source for finding the latest news, help, and troubleshooting advice from a community of experts. Discussions cover how to detect, fix, and remove viruses, spyware, adware, malware, and other vulnerabilities on Windows, Mac OS X, and Linux.

NEWS - July 26, 2013

U.S. federal authorities have indicted five men — four Russians and a Ukrainian - for allegedly perpetrating many of the biggest cybercrimes of the past decade, including the theft of more than 160 million credit card numbers from major U.S. retailers, banks and card processors.

The gang is thought to be responsible for the 2007 breach at credit card processor Heartland Payment Systems that exposed some 130 million card numbers, as well as the 2011 breach at Global Payments that involved nearly a million accounts and cost the company almost $100 million.

Federal prosecutors in New York today called the case the largest hacking scheme ever prosecuted in the U.S. Justice Department officials said the men were part of a gang run by Albert "Soupnazi" Gonzalez, a hacker arrested in 2008 who is currently serving a 20-year-prison sentence for his role in many of the breaches, including the theft of some 90 million credit cards from retailer TJX.

The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.

Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post:NEWS - July 26, 2013

This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.

Sorry, there was a problem flagging this post. Please try again now or at a later time.

If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

Dozens of companies are vying for contracts to be part of the Department of Homeland Security's new shopping hub where federal, state, and local agencies can buy services to protect their computer networks, according to a Bloomberg BusinessWeek report.

As many as five companies will be awarded contracts by the General Services Administration, BusinessWeek reported on Tuesday. The $6 billion figure is the maximum value of those contracts, which can be as long as five years. BusinessWeek has confirmed major defense and government contractors Northrop Grumman, Lockheed Martin, SAIC, and Computer Sciences Corp. have also submitted bids.

"We're not talking about buying pencils; we're talking about an advanced technology architecture system," Michael Carpenter, president of U.S. sales for McAfee, told Bloomberg BusinessWeek. McAfee is one of the companies interested in being part of the program.

I warned in my last article about the CNN Breaking News malware attacks, that are exploiting news stories about the royal baby and other topics, but the latest incarnation of this internet attack really sends a chill down the spine.

Spam messages have been sent out about the horrific inter-city train derailment, near Santiago de Compostela in in the North West of Spain, claiming to be a breaking news report from CNN.

Here's what the messages can look like, with content clearly lifted from a real CNN online report: [Screenshot]

One of the challenges in malware research is separating the truly novel innovations in malcoding from new nasties that merely include nominal or superficial tweaks. This dynamic holds true for both malware researchers and purveyors, albeit for different reasons. Researchers wish to avoid being labeled alarmist in calling special attention to what appears to be an emerging threat that turns out to be old news; the bad guys just want to avoid getting scammed into paying for an old malware kit dressed up as the new next big thing.

On Tuesday, RSA Security somewhat breathlessly announced that it had spotted KINS, a ZeuS Trojan variant that looked like "a new professional-grade banking Trojan" that was likely to emerge as the "next Trojan epiphany" in the cybercrime underground. RSA said the emergence of KINS was notable because the reigning ZeuS Trojan derivative - the Citadel Trojan — had long ago been taken off the market, and that crooks were anxiously awaiting the development and sale of a new botnet creation kit based on the leaked ZeuS source code.

With the new royal baby making headlines, BBB expects to see scammers taking advantage of the public's eagerness to see photos of the newborn prince.

BBB warns, be careful when searching Google for news about the royal baby. Scam artists use fake websites to corrupt your computer.

On Facebook, you may see a friend likes an "exclusive" video of the new royal baby. Curious, you click on the link. You are taken to a 3rd party website, where a pop up appears prompting you to "update your video player" before you can view the clip. You click "Ok." However, when you download the file, you aren't updating your software. You are downloading a virus that scans your machine for banking and other personal information. Similar scams can be found on Twitter and other social media.

Scam artists also prey on victims through "phishing" emails that promise "exclusive videos." The link in the email takes you to a 3rd party website that asks for your personal information.

Modern cars contain a lot of nifty electronic gadgets, as well as more than one kilometer of cable wired to all kinds of sensors, processing units, and electronic control units. The cars themselves have become large computers, and as history shows, wherever there is a computer, there is someone trying to attack it. Over the past few years various studies have been conducted on how feasible it would be to attack a car through its onboard network. Most researchers focused on attacks with full physical access to the car, but some also explored external attack vectors.

If attackers have physical access to a car they can, for example, access the Controller Area Network (CAN) or the On-Board Diagnostic (OBD) system, but they can also perform other dangerous actions, such as physically tampering with the brakes or stealing the car. Digitally tampering with a car, on the other hand, might be much more difficult to prove after an accident. Such attacks could potentially be combined with other attacks that allow for a remote code execution and should be taken as a demonstration of payloads.

There is a fascinating presentation due to be given at Defcon21, by Charlie Miller, of Twitter, and Chris Valasek, of IOACTIVE. They have received a grant from DARPA , The Defense Advanced Research Agency, to perform research on "hacking cars."

As motor vehicles advance technologically, they incorporate more and more computers. So far, the threat of them being hacked has largely been ignored, as they have been seen as "stand alone" systems. There is a trend to increase vehicle connectivity, and with this comes the potential risks of vehicles falling prey to malicious software. Suddenly, the glowing magnet devices of the latest iteration of the "Fast and Furious" franchise, that caused the hero's cars to careen through buildings uncontrollably, do not seem all that far fetched.

I personally liked that it was used as an excuse to showcase awesome classic cars, on account of them not having onboard computers, but hey, I'm also a car guy.

Many cars have systems such as OnStar, a cellular enabled roadside assistance service offered in some GM vehicles. Concerns have been raised on possible use of this system as a surveillance tool, something Onstar says isn't possible. Their terms of service do say they retain the GPS data, and may sell it to third parties, after "anonymizing" it. I'm curious how you could anonymize this GPS data. I park my car in my driveway. The capabilities of these types of systems, such as unlocking doors, and turning the engine off, if done with a malicious intent are a sobering thought.

Poker player who won $1.5 million charged with running Android malware ring

A man who has won about $1.5 million in poker tournaments has been arrested and charged with running an operation that combined spam, Android malware, and a fake dating website to scam victims out of $3.9 million, according to Symantec.

Symantec worked with investigators from the Chiba Prefectural Police in Japan, who earlier this week "arrested nine individuals for distributing spam that included e-mails with links to download Android.Enesoluty—a malware used to collect contact details stored on the owner's device," Symantec wrote in its blog.

Android.Enesoluty is a Trojan distributed as an Android application file. It steals information and sends it to computers run by hackers. It was discovered by security researchers in September 2012.

The suspect flagged as the "main player running the operation" is 50-year-old Masaaki Kagawa of Tokyo, president of an IT firm named Koei Planning and a poker player with success in high-stakes tournaments around the world.

" In the usual manner of scammers, new phishing emails have surfaced which take advantage of Apple's security vulnerabilities."

In order to make sure a phishing campaign works, the victim has to believe an email is legitimate. It's no surprise that the Apple security breach is the latest event to be taken advantage of.

Phishing attacks are a relatively simple way to steal data. Users click on an email they believe to be legitimate, allowing malware to be installed or submitting login details for a service, whether it be a fake bank email, service, or the Spanish lottery. Perhaps if you're particularly lucky, there is a wealthy gentlemen in Africa who wants to transfer millions of dollars to your account -- but only if you forward along some of the costs in advance, of course.

Phishing campaigns have advanced from the days of poorly-written English and laughable stories. Now, some scammers take pains to make sure the email looks legitimate, from including a PayPal logo to the typical disclaimer of a bank at the bottom. Once clicked on, users are often directed to legitimate-looking websites set up to store the credentials you input.

In a new campaign, the recent service outage of Apple's Dev Center has prompted a flood of phishing emails asking users to change their passwords -- and short as the email is, to the average user, it may be viewed as legitimate. [Screenshot]

21-year-old Jay Matthew Riley, of Woodbridge, Virginia, had an alarming pop-up appear on his computer a few days ago.

The warning message which was displayed on Riley's computer claimed to be from the FBI and accused him of "child pornography" crimes.

The message probably looked similar to the one below, telling Riley to pay a fine or risk being investigated. [Screenshot]

Of course, the message is fake. It's displayed by all-too-commonly encountered ransomware, which locks victims' computers and displays distressing messages about child sexual abuse in an attempt to trick computer owners into paying money.

Security companies would do well to build their products around the physician's code: "First, do no harm." The corollary to that oath borrows from another medical mantra: "Security vendor, heal thyself. And don't take forever to do it! "

On Thursday, Symantec quietly released security updates to fix serious vulnerabilities in its Symantec Web Gateway, a popular line of security appliances designed to help "protect organizations against multiple types of Web-borne malware." Symantec issued the updates more than five months after receiving notice of the flaws from Vienna, Austria based SEC Consult Vulnerability Lab, which said attackers could chain together several of the flaws to completely compromise the appliances.

"An attacker can get unauthorized access to the appliance and plant backdoors or access configuration files containing credentials for other systems (eg. Active Directory/LDAP credentials) which can be used in further attacks," SEC Consult warned in an advisory published in coordination with the patches from Symantec. "Since all web traffic passes through the appliance, interception of HTTP as well as the plain text form of HTTPS traffic (if SSL Deep Inspection feature in use), including sensitive information like passwords and session cookies is possible."

In the past, Malwarebytes Anti-Malware has detected only PUPs, or Potentially Unwanted Programs, that were mostly harmful and deceiving. Our users expected more and so we've revised our policy to include PUPs in our database that most of our users find annoying or misleading. Within the next few days, detection for many new variants will be added.

Malwarebytes feels most of our users have no knowledge that these PUPs were installed and would like them removed. Several thousand forum posts and support tickets confirm our standpoint. Ranging from difficult to uninstall applications to software that makes you opt-out, we've had enough of it all!

We invite all antivirus companies to join our fight, not only against malware, but also against unwanted and undesirable software. The only way we will make a difference is collectively.